AudioJailbreak: Jailbreak Attacks against End-to-End Large Audio-Language Models

TL;DR

This paper introduces AUDIOJAILBREAK, a novel audio attack against large audio-language models that is asynchronous, universal, stealthy, and robust over-the-air, significantly advancing the effectiveness and practicality of jailbreak attacks.

Contribution

The paper proposes AUDIOJAILBREAK, a comprehensive audio jailbreak method with new features like asynchrony, universality, stealthiness, and over-the-air robustness, outperforming prior attacks.

Findings

AUDIOJAILBREAK effectively bypasses GPT-4o-Audio and Llama-Guard-3 safeguards.

It works under both strong and weak adversary scenarios.

The attack remains effective over-the-air with reverberation.

Abstract

Jailbreak attacks to Large audio-language models (LALMs) are studied recently, but they exclusively focused on the attack scenario where the adversary can fully manipulate user prompts (named strong adversary) and limited in effectiveness, applicability, and practicability. In this work, we first conduct an extensive evaluation showing that advanced text jailbreak attacks cannot be easily ported to end-to-end LALMs via text-to-speech (TTS) techniques. We then propose AUDIOJAILBREAK, a novel audio jailbreak attack, featuring (1) asynchrony: the jailbreak audios do not need to align with user prompts in the time axis by crafting suffixal jailbreak audios; (2) universality: a single jailbreak perturbation is effective for different prompts by incorporating multiple prompts into the perturbation generation; (3) stealthiness: the malicious intent of jailbreak audios is concealed by proposing various intent concealment strategies; and (4) over-the-air robustness: the jailbreak audios remain effective when being played over the air by incorporating reverberation into the perturbation generation. In contrast, all prior audio jailbreak attacks cannot offer asynchrony, universality, stealthiness, and/or over-the-air robustness. Moreover, AUDIOJAILBREAK is also applicable to a more practical and broader attack scenario where the adversary cannot fully manipulate user prompts (named weak adversary). Extensive experiments with thus far the most LALMs demonstrate the high effectiveness of AUDIOJAILBREAK, in particular, it can jailbreak openAI's GPT-4o-Audio and bypass Meta's Llama-Guard-3 safeguard, in the weak adversary scenario. We highlight that our work peeks into the security implications of audio jailbreak attacks against LALMs, and realistically fosters improving their robustness, especially for the newly proposed weak adversary.